Query Active Directory – Security Script

Query Active Directory – Security Script

PowerShell script to query active directory :

  • Identify Accounts with Password expiring is disabled
  • Identify Accounts have not logged on for 30 or 90 days and accounts have never logged on.
  • Identify Accounts are disabled
  • Identify Accounts cannot change their passwords
  • Identify Accounts do not require Kerberos pre-authentication for logon.
  • Identify Accounts have the setting Password Not Required enabled.
  • Identify Accounts have the settings Password not going to expire.
  • Identify Accounts have the setting Reversible Text Passwords enabled.

This script imports the Active Directory module, then retrieves all user accounts from Active Directory and stores the desired information in an array of objects. The objects are then outputted in a CSV file format.

Import-Module ActiveDirectory

$outputFile = “AD_Users_Report.csv”
$header = “Username,PasswordExpired,LastLogonDate,Enabled,CantChangePassword,NoPreAuth,PasswordNotRequired,PasswordNeverExpires,ReversibleEncryptionEnabled”

# Remove the file if it already exists
if (Test-Path $outputFile) {
Remove-Item $outputFile

Add-Content $outputFile $header

Get-ADUser -Filter * -Properties passwordExpired,lastLogonDate,Enabled,pwdLastSet,userAccountControl,msDS-UserPasswordExpiryTimeComputed | ForEach-Object {
$username = $_.SamAccountName
$passwordExpired = $_.passwordExpired
$lastLogonDate = $_.lastLogonDate
$enabled = $_.Enabled
$cantChangePassword = $_.userAccountControl -band 0x0080
$noPreAuth = $_.userAccountControl -band 0x80000
$passwordNotRequired = $_.userAccountControl -band 0x20
$passwordNeverExpires = $_.pwdLastSet -eq 0
$reversibleEncryptionEnabled = $_.”msDS-UserPasswordExpiryTimeComputed” -eq 0

$line = “$username,$passwordExpired,$lastLogonDate,$enabled,$cantChangePassword,$noPreAuth,$passwordNotRequired,$passwordNeverExpires,$reversibleEncryptionEnabled”

Add-Content $outputFile $line

Comments are closed.